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@ Method and apparatus for graphically analyzing a log-file. 



@ An apparatus (101) and technique interac- 
tively analyze system log-files. System log-files, 
which are monitored by technical personnel 
and systenns specialists to determine system 
performance, status, and software faults, are 
often generated during various hardware and 
software monitoring operations. Each log-file 
(120) contains time stamped reports. This tech- 
nique is especially useful for analyzing large 
log-files. A new release of software may contain 
many incremental versions that must be tested. 
The testing of each Incremental version may 
generate a log-file containing thousands of re- 
ports. Using this apparatus (101) and technique, 
reports are correlated, faults are isolated, and 
temporal patterns are recognized more quickly 
and efficiently than by using conventional, 
non-graphical techniques. 
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Technical Field 

The invention concerns graphical displays in sys- 
tems having one ormore processors, such as distrit)- 
uted systems, In general and graphical displays of re- 
ports of system log files in particular. 

Background of the Invention 

Many systems generate log-files as part of their 
normal operation. Such files typically contain reports 
on system performance, system status, and software 
faults. These reports are often free-format text. Each 
report is individually time-stamped indicating when it 
was created. By examining a log file, system opera- 
tors may detect and correct system and software 
problems before such problems can affect system op- 
eration. 

A common trait of log-files is that many unimpor- 
tant reports are created along with the important re- 
ports. These "noise" reports clutter-up the log-file 
and obscure the important reports. For example, a 
log-file created during a 15 hour test of a new release 
of a software program including many incremental 
versions may contain 55,000 reports comprising 
100,000 lines of text which is equivalent to 1600 pa- 
ges. But only hundreds of those reports may actually 
be significant. The "noise" reports in the log-file may 
obscure one or more of the important reports and 
cause it to be overlooked by the operator. 

It Is an object of the present invention to provide 
an apparatus for graphically analyzing log files. 

It is another object of the invention to provide an 
apparatus for graphically displaying log files to en- 
able an analyst to find the important reports within the 
log file. 

It is another object of the invention to provide an 
apparatus that displays reports of a log file according 
to class and time of occurrence in order to allow the 
user to see the circumstances of each report. 

It is another object of the invention to provide an 
apparatus that displays reports of a log file according 
to class and time of occurrence and allows the oper- 
ator to interactively browse the reports to analyze the 
cause of the report. 

Summary of the Invention 

Briefly stated in accordance with one aspect of 
the invention the aforementioned objects are ach- 
ieved by providing an apparatus and method for 
showing a plurality of time-stamped, messages that 
have a set of characteristics. The apparatus includes 
a plurality of symbols, with each symbol correspond- 
ing to one of the messages. Each symbol has an ap- 
pearance that varies according to a characteristic of 
the message it corresponds to and a position that is 
determined by a time of the message and a charac- 



teristic of the message. 

Brief Description of the Drawing 

5 While the specification concludes with the ap- 

pended claims particularly pointing out and distinctly 
claiming the subject matter which is regarded as the 
invention, it is believed that the invention will be better 
understood from the following description taken in 
10 conjunction with the accompanying figures in which: 

Fig. 1 is a block diagram of an example log file 
analysis system. 

Fig. 2 is a pictorial view of a typical visual display 
as seen by an operator of the log file analysis system 
15 in a preferred embodiment. 

Fig. 3 is a pictorial view similar to Fig. 2 but with 
finer gradations of time. 

Fig. 4 is a pictorial view similar to Fig. 3 wherein 
only the reports of selected characteristics of the sys- 
20 tern under test are shown. 

Fig. 5 is a pictorial view similar to Fig. 3 wherein 
only reports related to system database integrity 
checkers and correctors according to problem count 
are shown. 

25 Fig. 6 is a pictorial view similar to Fig. 3 wherein 
only reports related to system database integrity 
checkers and correctors according to problem code 
are shown. 

Fig. 7 is the same as Fig. 6 with aselector window 
30 overlaying part of the display. 

Fig. 8 is the same as Fig. 7 with a browser window 
overlaying part of the display. 

Fig. 9 is a detail of a processed log-file in mem- 
ory. 

35 Fig. 10 is a detail of data structures in memory. 

Fig. 11 is a detail of a relation in memory. 

Fig. 12 is a detail of global pool of attribute names 
in memory. 

Fig. 13 is a detail of tuples in memory. 
40 Fig. 14 is a detail of a selector In memory. 

Fig. 15 Is an overview of a process that produces 
a display according to the invention. 

Fig. 16 is a detail of a procedure that produces re- 
lations. 

45 Fig. 17 is a detail of a procedure that processes 

tuples. 

Fig. 18 is a detail of a procedure that produces a 
display according to the invention. 

Fig. 1 9 is a detail of a procedure that produces a 
50 plot for a chart. 

Fig. 20 is a detail of a procedure that produces 
bars for a chart. 

Fig. 21 is a detail of a procedure that produces 
time-bars. 

55 Fig. 22 Is a detail of a read log-file procedure. 

Fig. 23 is a detail of a color log-file procedure. 
Fig. 24 is a detail of a procedure that pick- 
correlates symbols, and 
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Fig. 25 is a detail of a procedure that plots tuples 
on the screen. 

Detailed Description 

5 

Referring now to Fig. 1 , a block diagram of an ex- 
ample tog file analysis system 101 is shown. The sys- 
tem 101 Includes terminal 103, which provides output 
to and receives Input from the system operator, proc- 
essor 113, which performs the actual analysis oper- io 
attons, memory system 115, which contains pro- 
grams 117 executed by processor 113 and relations 
119i - 119| each of which contains a respective set of 
tuples. The system 101 also has a mass storage sys- 
tem 120 for storing a log-file in Its unprocessed state, is 
i.e. the group of time stamped messages as It was 
created. 

In more detail, terminal 103 includes a display 
screen 105, upon which processor 113 displays infor- 
mation for the operator. Display screen 105 also in- 20 
eludes pointer 107, which specifies a location in dis- 
play 105 and may be moved under control of either 
keyboard 109 or mouse 111. The operator controls 
the operation of system 101 by inputs from keyboard 
109 and/or mouse 111. Processor 113 may be any 25 
kind of processor, from a personal computer through 
a workstation or even a supercomputer. Memory sys- 
tem 115, finally, includes any data accessible to sys- 
tem 101 , and may thus include random-access mem- 
ory or read-only memory. Connected to memory sys- 30 
tem 1 1 5 is mass storage system 1 20 which reads data 
into memory system 115 to make such data more ac- 
cessible or stores such as data for the long term. 
Mass storage system 120 may include magnetic disk 
or optical disk 35 

When employing system 101 to analyze informa- 
tion in a log file, the operator may use keyboard 109 
or mouse 111 as input devices. Processor 113 exe- 
cutes programs 117 as required to perform the ana- 
lysis on the relations 1191-119) displays the results 40 
on display screen 105. The operator can then use 
keyboard 109 and/or mouse 111 to Interactively ex- 
amine the results in more detail. 

The preferred embodiment of system 101 runs 
under the UNIX® operating system (UNIX Is a regis- 45 
tered trademark of UNIX Systems Laboratories) us- 
ing a workstation with the X Window System. 

Referring now to Fig. 2, a display 201 is shown on 
display screen 105. This display 201 Is of a log file 
generated during a 15 hour test on a 5ESS distributed so 
system (5ESS is a registered trademark of AT&T) dur- 
ing development. The log-file contains over 55,000 
reports comprising 100,000 lines of text. The display 
201 shows four classes of reports: asserts, i.e. detec- 
tion of a software/data Inconsistency; audits, i.e. sys- 55 
tem database- integrity checkers and correctors; op- 
erations-and-maintenance reports, i.e. hardware 
component removal, diagnostic, restoration and proc- 



ess-purges; and trunk-error reports during communi- 
cation set-ups. 

The first step in making the display 201 of the log- 
file easier to analyze Is the selection of only the "in- 
teresting" reports. In this context, "interesting" means 
those reports that signify either service-affecting or 
potentially service affecting events and software 
faults. The "noise" reports from the log-file are fil- 
tered out by simply not selecting them for processing 
or display. For the log-file considered, many of the re- 
ports are due to follow-up reports such as stack- 
frame, stack-trace, and register dumps. For analysis 
purposes, not only do these "noise" reports not con- 
tribute to the discovery of patterns and correlations 
by the system operator, but they tend to obscure 
those reports that do so contribute. 

The second step in making the display 201 of the 
log-file easier to analyze is the exploitation of its tem- 
poral variations. In other words, use the time-stamp 
of each report as one coordinate for its placement on 
the display 201. Previous text based analysis techni- 
ques, such as those using visual text editors, ob- 
scured the inherent nature of time-stamped log-files 
because the spatial separation of interesting reports, 
i.e. the number of lines separating them, encountered 
while using the text editor has little relation to the per- 
iod of time required to generate those lines. For ex- 
ample, one five-minute period of a log-file could be 
represented by reports having a few hundred lines, 
while anotherfive minute period could be represented 
by reports having a few thousand lines. 

The visualization technique of display 201 ac- 
cording to the present Invention has angled tick- 
marks arranged in a grid. As an example, tick-mark 
202 indicates the occurrence of a report regarding as- 
serts 21101 in vertical axis 204. Tick-mark 202 is cod- 
ed both by its Inclination and color, as will be ex- 
plained below. Along a vertical axis 204 of the grid, re- 
ports are broken down by class and type into bands 
206, 208. 210 and 212 and rows, respectively. Each 
band 206-212 is made up of a distinct class of reports. 
Band 206 is made up of the rows of assert reports, 
band 208 is made up of the rows of audit reports, 
band 210 is made up of the operation and mainte- 
nance report rows and band 212 is made up of the 
trunk error report rows. Within a given class, each row 
is made up of a reports of a single type. A type-name 
is printed on the left side of each row in vertical axis 
204 and the total number of occurrences Is shown on 
the right side of the display in the form of a bar-chart 
at the end of its corresponding row. The bar charts 
are scalable by slider 226 and the longest bar that is 
truncated by the scale appears in light gray. Display 
201 can fit approximately 70 rows on display screen 
105 simultaneously, this includes type-named rows 
and rows used for divider lines between bands. The 
horizontal axis 220 represents time. Time increases 
to the rightof the display 201. Occurrences of a report 
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of a given type are marked by drawing tick-marks 
along the row conresponding to that type at horizontal 
positions that corresponds to the respective times of 
the occurrences as indicated by their time stamps. 
The total number of occurrences of all report types 5 
per unit-time is shown on the bottom of the display in 
the form of a stacked histogram extending from a sec- 
ond horizontal axis 221, which also represents time. 
A slider 228 adjusts the scale of the histograms also. 

A relational data model is used for the displayed io 
data of display 201 . Each of the classes of bands 206- 
212 corresponds to a single relation 119i - 119| 
(shown In Fig. 1). the unique values for the primary at- 
tribute of a relation correspond to the various types 
within a class. On the left side of the display 201, is 
there is an Interactive color scale 224. Interactive col- 
or scale 224 is used to color-code report occurrences 
by the values of secondary attributes 226 of all the re- 
lations 119i - IIQi . Aset of secondary attributes 226 
includes equipment, enror count, error code, event, 20 
signaling set of secondary attributes 226 Includes 
type, processor Identification, and trunk group type, 
as abbreviated in the lower-left corner of the display 
201. The differences in gray scale shading in Fig. 2 
represents the color coding of the reports according 25 
to their respective processor module, AM (unlabeled 
in Fig. 2). SM21, SM23, SM25, SM47 and SM48, as- 
sociated with the report. The color coding of the re- 
ports Is: light blue for SM21. dark green for SM23, 
light green for SM25, yellow for SM47 and red for 30 
SM4B. In addition to using color to encode the a char- 
acteristic with tick marks for the occurrence of re- 
ports, the inclinations of the tick-marks are also used 
to encode a possibly different characteristic. Use of 
color and inclination is complementary. If there are 35 
many values, colors of adjacent hues can be too close 
for the operator to distinguish. Encoding the display 
201 such that both color and inclination encode an in- 
dividual attribute makes adjacent values, although 
close in color, different in angle thus allowing the op- 40 
eratorto distinguish between them. Display 201 uses 
a pre-defined set of six inclination angles that are suf- 
ficiently different to allow the operator to distinguish 
between them. If more than six attributes must be en- 
coded, the same inclination may be reused because 45 
by the time the inclination coding "wraps-around," the 
color coding has progressed to a sufficiently different 
hue to facilitate differentiation. 

The stacked histograms projecting from horizon- 
tal axis 221 are also color coded in order to Indicate 50 
which attributes correspond to the reports generated 
In the time period of the histogram. This Is represent- 
ed by the differences In gray scale shading of the 
stacked histograms. Thus, by looking at the stacked 
histograms of display 201 an operator could see that 55 
the performance of the system 101 began to deteri- 
orate starting in the eleventh hour. Similarly, by ob- 
serving the proportion of dark gray (dark green in the 



corresponding color figure) in the stacked histo- 
grams, the operator could conclude that many of the 
reports are occurring In processor module SM23. 

Referring now to Fig. 3, display 301 Is Identical 
with display 201 except that the horizontal axis 321 is 
divided Into five minute Intervals Instead of the one 
hour intervals of horizontal axis 201. This means that 
the stacked histograms projecting from horizontal 
axis 321 will represent five minute periods instead of 
one hour periods. Using this finer grain time division, 
the operator may now discover spikes of report activ- 
ity starting after 1 .5 hours of testing and repeating ap- 
proximately every 20 minutes. 

Inspection of the bar charts at the end of the 
rows, shows that most of the report activity Is occur- 
ring in the audit class in band 308 and operations and 
maintenance report band 310. According to the length 
of its bar-chart, the most frequently occurring audit 
type names were PORTLA CKTDATA, CDBCOM, 
and ISANBUS. By the same criterion, the most fre- 
quently occurring assert type name was 39999. Re- 
view of the PORTLA, CKTDATA, CDBCOM, ISAN- 
BUS and 39999 rows in display 301 shows a substan- 
tial number of tick marks with the characteristic inclin- 
ation and color of processor module SM23, confirm- 
ing what the bar charts showed. 

If processor modules SM21, SM25, SM47 and 
SM48 are experiencing similar problems as those of 
SM23, only to a lesser degree, a possible system wide 
problem is indicated. If, however, the problems occur- 
ring are isolated to SM23, a localized problem is Indi- 
cated. Using the interactive color scale 224 at the left 
of display 301 the tick marks of one or more of the 
processor modules SM21-SM4d can be turned off, 
i.e. not displayed, In order to reveal such other signif- 
icant report patterns within the log-file. 

Display 401 of Fig. 4 displays the performance of 
processor modules SM25 and SM4d alone. Proces- 
sor module SM25 has the lighter gray tick marks, light 
green on a color display, that are more vertically ori- 
ented. Processor module SM48, on the other hand, 
has the darker tick marks, red on a color display, that 
are more horizontally oriented. Processor module 
SM25 has a burst of report activity of various types 
about two and one half hours into the test and a rea- 
sonably steady stream of ISANBUS audit reports 
over the entire 1 5 hours of the test. Processor module 
SM48, on the other hand, has a report pattern that is 
very similar to the report pattern exhibited by proces- 
sor module SM23. This similarity may Indicate an in- 
ter-module fault between processor modules SM23 
and SM48. 

Display 401, with most of the reports turned off, 
exhibits another correlation. There is a definite corre- 
lation between assert row 39999 reports and the 
"waves" of audits occurring at the same time as the 
row 39999 reports. A "wave" is indicated by a nearly 
vertical sequence of several types of reports. Addi- 
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tionally, a process was also purged, band 410 row 
type PURGED, and numerous trunk-errors occurred, 
band 412 type CRR. Again, processor module SM23 
had a very similar report pattern, thus further indicat- 
ing that an inter-module fault occurred between SM23 5 
and SM48. 

Referring now to Fig. 5, the enror count secondary 
attribute is selected from the set of attributes 526, 
which is essentially the same as 226 in Fig. 2 but with 
ERRORCNT highlighted instead of SM. The error io 
count secondary attribute is selected to analyze the 
reports because of the large number of audit reports. 
Each audit process checks global data and corrects 
inconsistencies. If such an inconsistency is found, an 
error-count for that process is incremented. Fig. 5 15 
shows the audit reports inclination and gray shade 
coded (to represent their respective colors) by their 
respective ERRORCNT attributes. Since only audits 
have an ERRORCNT attribute, only the audit tick- 
marks are shown with their respective inclinations 20 
and gray shades. The tick-marks of the assert band 
506, operations-and-malntenance band 510, and 
trunk-error band 512 all turn black in shade and vert- 
ical in inclination to indicate that they are not defined 
in this operating mode 25 

Display 501 shows that most audits of band 508 
found only small numbers of errors, as shown by the 
blue tick marks. The exception being the PORTLA au- 
dit, which is the most-frequently occurring one. POR- 
TLA consistently found high numbers of enrors in the 30 
log file. This is shown in the corresponding color fig- 
ure by its green tick marks. 

Referring now to Fig. 6, display 601 shows the 
ERRORCODE attributes of the log-file reports. Dis- 
play 601 shows the audit reports inclination and gray 35 
shade coded according to their respective ERROR- 
CODE attributes. It can readily be seen from display 
601 that the enror-codes for the majority of audits are 
the same for the entire 15 hours of the test because 
the tick-marks all have the same inclinatk)n angle. 40 
Here, inclination angle within each row is perhaps 
more effective than gray shade or color because, 
while adjacent error-codes have shades or colors that 
are very dose, they do not have inclination angles 
that are close. 45 

In display 601, as previously in display 501, the 
PORTLA audit is an exception. The cross-hatching 
visible is due to multiple tick marks with various inclin- 
ations. This cross hatching pattern indicates that 
there are multiple pnDblems that triggered this same so 
audit. This is also why PORTLA was the most fre- 
quently-occurring audit, as shown by bar graph 640. 

Often, as is the case with this log-file, there are 
many problems. It would therefore make sense to fo- 
cus our attention to those problems that are causing 55 
the most faults. For software faults, the 5ESS as- 
signs an event number to a sequence of related fault 
reports. For example, each occurrence of the assert 



39999 and its audit waves share the same event num- 
ber. This fact allows us to select only those events 
having the greatest number of associated reports. 
Fig. 7 is the same as Fig. 6 but now using selectors. 
A selector is a por>-up window that allows values of an 
attribute to be turned off in the same manner as the 
color scale. Aselectoralso has a bar-chart that shows 
the total number of occurrences for all the values 

In Fig. 7, selector 701 on event-number has its 
values sorted in descending order by count. Of those, 
only those values that occur the most frequently are 
left on. This is accomplished by clicking 707 none and 
using keyboard 109 or mouse 111 for selecting the 
topmost events. This shows only those faults having 
the greatest number of associated reports. Of those, 
we would like to focus our attention on SM23 and 
SM25 because those are the two SMs on which there 
were the most faults. (Although this infomnation was 
shown In a previous figure, this information is also 
shown by the length of the bars 707 in the SM-selec- 
tor pop-up window 705.) The effect of using selectors 
701 and 705 alters the display such that the tick 
marks corresponding to the selected reports are dis- 
played. 

Refenring now to Fig. 8, display 801 is the same 
as display 701 except for browser window 850. If nnore 
information is desired to conf inm a hypothesis regard- 
ing a particular problem that has been visually ana- 
lyzed, it may be necessary to go back and look at the 
original log-file; to browse through the text of the re- 
port in order to look for additional details that are not 
displayed otherwise. For example, take the occur- 
rence of the first ISANBUS audit at about two and two 
thirds hours into the test, the operator might want to 
look at and around the original report for something 
interesting. Clicking mouse 111 on tick-mark 803 cor- 
responding to the ISANBUS audit pops-up browser 
window 850 with the report from the log-file centered 
in \{. The color-coding of the lines of text in the log-file 
matches the colors in the color scale. The scroll-bar 
852 in the browser window 850 allows the operator to 
browse among the reports nearby in the log-file. 
Browser window 850 also has a pattern search text 
field 854 where the operator may type one or more al- 
phanumeric characters, such as the keyword IN IT, 
and search forward or backward in the log-file for 
match. 

The displays shown in Figs. 2 through 8, respec- 
tively, preferably use color to help show different as- 
pects 

Referring now to Figs. 1 and 9, the method of ob- 
taining displays 201-801 from the log file will be de- 
scribed. Initially, a log-file of a system is stored in 
mass storage 120. The log-file is subsequently read 
into memory 115 where it is processed by processor 
113 according to program 117 into a relational data- 
base of selected portions of the time stamped reports 
that make up the log-file. As the log-file is read in and 
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processed, relations 119, - 119| are stored in memory 
115. For example, the asserts, audits, operations- 
and-maintenance reports, and trunk-error reports 
are four of the relations that are stored. 

Each relation 119i - 119| has a descriptor file 
which contains the names of its attributes. So, these 
attributes describe a relation. The relations and attri- 
butes are associated as the attributes are read into 
memory area 1702. The relations identify those attri- 
butes that they use. and store attribute pointers to 
each attribute used by the relation. If two relations 
use the same attribute, only one entry is made in area 
1702, and each relation has a pointer to that entry. 
Similarly, as the log-file is read in, the tuples are stor- 
ed in memory area 1704 and the relations identify 
those tuples that they use and store tuple pointers to 
each. 

Fig. 12 illustrates the data structures stored in 
the attribute area 1702 in detail. First, there is a global 
pool of attribute names 1802 where each attribute 
name is associated with a pointer to the named attri- 
bute by means of an AVL tree 1 804. Each attribute en- 
try has a name, an associated integer index of the at- 
tribute AVL tree 1 804, a pointer to an AVL tree of val- 
ues 1 808 and a pointer-to- value- node-TO-node value 
information AVL tree 1806. The AVL tree of values 
1 808, which stores all of the values of said attribute, 
either numeric or textual. Each value within AVL tree 
of values 1808, has the value itself is stored, a se- 
quential index of each value is stored, and the number 
of occurrences or frequency of each value is stored. 

Attribute AVL tree 1806 also stores for each at- 
tribute a pointer to Attribute-value-node, a 
masked/not masked flag, and a dynamic vector of 
pointers-to-tuples having said attribute. 

Referring now to Fig. 13, the details of data struc- 
tures stored in the tuple area 1704 will be described. 
A tuple by definition is a set of values of related attri- 
butes, IEEE Std. 100-1992. Each tuple is owned by 
one and only one of the relations 1 1 9^- 1 1 9| . Each tu- 
ple has a pointer back to it owning relation, a time In 
seconds from the beginning of the log-file, a line num- 
ber range in the log corresponding to the message 
that the tuple represents, a mask count (which is nec- 
essary because a tuple may be masked by multiple 
selectors, yet only one mask is necessary to prevent 
display of a value), and a vector of pointers-to-Attri- 
bute-value-nodes rather than redundantly storing the 
values themselves. 

Referring to Figs. 10 and 14,.a selector area 1706 
of memory 1 1 5 stores data structures used by the se- 
lector windows, as shown in Fig. 7. The selector area 
1706 stores a mapping of virtual coordinates of attri- 
bute values within the window to physical coordinates 
of data within the display 701 . This is necessary when 
the values are sorted in descending order by count 
With each value is a masked/not masked bit and a 
flag indicating whether the sorting is currently alpha- 



numeric. The virtual coordinates are the coordinates 
of the values in an ascending order, i.e. the position 
coordinates of the value if no sorting were performed 
within the selector window. The actual coordinates 

5 are the coordinates of the values displayed within the 
selector window after a sort has performed. This 
mapping is necessary in order to be able to reference 
the correct value when selecting a sorted value item 
within a selector window with mouse 111 

10 Fig. 1 5 is a diagram 2101 showing the processes 
performed to obtain the data structures just descri- 
bed and to use those data structures to produce a dis- 
play, such as display 201 or display 701. The create- 
relations procedure 2102 creates the relations 119i - 

15 1 1 9| . It operates on a log-file that has been process- 
ed into a relational database form. 

Referring now to Fig. 16. the create-relations pro- 
cedure 2102 starts processing with the first relation 
119i of relations 119^ - 119|and action 2202 reads the 

20 descriptor file of the first relation 119i . Next, action 
2204 adds attribute names of the descriptor file to 
global pool of attribute names 1802 and also noting 
which attributes are numeric in character. Afteraction 
2204, action 2206 reads a tuple from the log-file da- 

25 tabase. Next, procedure 2208 processes a tuple of 
the current relation, as explained below in Fig. 17. Af- 
ter action 2208, action 2210 checks to see if there are 
more tuples of the current relation to be processed. If 
the answer is yes. process 2102 returns to action 

30 2206 to read another tuple of the current relation. If 
the answer is no, that means all the tuples of the cur- 
rent relation have been processed and process 2102 
proceeds to action 2212. Action 2212 checks to see 
if there is another relation of the relations 119t - 119| 

35 to be created. If the answer is yes, process 2102 re- 
turns to action 2202 and reads the descriptor file of 
a next relation of relations 119i - 119| to be created. 
If the answer is no. that means that process 2102 has 
created all of the relations 119^ - 119| and the process 

40 2101 can proceed to create display process 21 04. 

Referring now to Fig. 1 7, details of the process tu- 
ple procedure 2208 mentioned above will be descri- 
bed before describing create display process 2104. 
Procedure 2208 starts with a tuple of the current re- 

45 lation and proceeds to action 2302. At action 2302, a 
value of the current tuple of the relevant attribute is 
added to the global pool of values 1808 for said attri- 
bute and a pointer to this tuple is added to the list of 
tuples 1810. After action 2302, action 2304 adds a 

50 pointer that points to the current attribute-value node 
in the AVL tree to the cunrent tuple. Next actk)n 2306 
checks to see if a there is another value of the current 
tuple to be processed. If there is another value to be 
processed, procedure 2208 returns to action 2302 to 

55 process the next value as it had processed the previ- 
ous value of the current tuple. If there is not another 
value to be processed, procedure 2208 proceeds to 
action 2308. Action 2308 sets the tuple's pointer to 
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point at the current relation as its owning relation and 
then the processing of this tuple is complete. After 
procedure 2208 has been performed for each tuple in 
each relation 11 9^ - 119| of the relational database 
corresponding to the log file, the result is the tuple 5 
data structure shown in Fig. 1 3. 

Refenring now to Fig. 1 8, details of the create-dis- 
play procedure 2104 will be described. This process 
creates a display, such as display 201 on display 
screen 1 05. Action 2402 creates a color scale selector io 
along the left side of display 201 , shown in Fig. 2 If col- 
or displays are utilized. Colors blue through red in a 
progression of hues may be assigned based on a dis- 
tribution over unique values of a given attribute. 
These colors correspond to the tick-mark colors as 15 
part of a graphical association technique. Next, action 
2404 creates the labels, i.e. the 'names* or symbols 
used in the display, for the current relation corre- 
sponding to the unique values of the primary keys of 
said relation. The labels are the 'fixed' part of the dis- 20 
play and the remaining portions involve further proc- 
essing of the relations conresponding to the log-file 
and their respective data structures mentioned previ- 
ously. 

Action 2406 is a create plot procedure that is de- 25 
scribed in regard to Fig. 19 below. After action 2406 
is action 2408, which is a create bars for chart proce- 
dure. Action 2408 is described in regard to Fig. 20 be- 
low. After action 2408 is action 241 0. which checks to 
see if there is another relation that needs to be dis- 30 
played. If there is another relation that needs to be 
displayed, procedure 2104 returns to action 2404 and 
proceeds through procedures 2406 and 2408 for the 
next relation. If there is not another relatbn to be dis- 
played, then procedure 2104 proceeds to action 35 
2412. Action 2412 is a create time bar procedure, 
which will be explained below in regard to Fig. 21 . This 
completes the creation of a display, such as display 
201, on display screen 105. 

Referring now to Fig. 19, the create plot proce- 40 
dure 2406 will be described. Create plot procedure 
2406 is entered with a relation already selected by 
create display procedure 2104. Action 2502 of proce- 
dure 2406 accesses a tuple of the current relation. 
Next, action 2504 adds pointer-to-tuple to list of tu- 45 
pies in quadtree at the point (x.y) detemiined by the 
tuple's time and the index of the tuple's value into the 
attribute along the y-axis. Action 2504 uses data from 
the database and the tuple data structures shown in 
Fig. 13. Next, action 2506 checks to see if another tu- so 
pie needs to be accessed for the create plot for chart 
procedure 2406. If there is another tuple that needs 
to be accessed, procedure 2406 returns to action 
2502 to access the another tuple of the current rela- 
tion. If there is not another tuple that needs to be ac- ss 
cessed, all tuples of the current relation have been 
processed for the create plot for chart procedure 2406 
and procedure 2406 proceeds to create bars for chart 



procedure 2408. 

Refenring now to Fig. 20, create bars for chart pro- 
cedure 2408 will be described. These bars, bars 214- 
220 on display 201 of Fig. 2, are the horizontal ones 
extending from the right vertical axis ofthe display. As 
with the previous procedure, create bars for chart pro- 
cedure 2408 is entered with a relation 11 9i - 11 9| al- 
ready selected. Action 2602 initializes each of the to- 
tals for each bar of the display to zero. After this, pro- 
cedure 2408 proceeds to action 2604. 

Action 2604 checks to see if the current relation 
has the attribute selected for color-coding. If the cur- 
rent relation does not have said attribute, that means 
the current display is of an attribute that the relation 
does not possess and for such a situation no bars are 
displayed. For example, see band 506 of display 501 
in Fig. 5. In this case, the procedure 2408 jumps for- 
ward to action 241 0 of create display procedure 21 04 
shown in Fig. 18. 

If the current relation does have the attribute se- 
lected for color coding, that means that the current 
display is of an attribute that the relation possesses 
and that one or more bars might be drawn, in which 
case the procedure 2408 proceeds to action 2606. 
Action 2606 access a tuple ofthe current relation and 
proceeds to action 2608. Action 2608 checks to see 
if the accessed tuple is masked. A tuple is considered 
masked if either the value ofthe tuple for the attribute 
being color-coded by has been de-selected by using 
mouse 111 on display 224 of display 201 in Fig. 2, or 
the tuple has a non-zero mask count as shown in Fig. 
13. If the accessed tuple is not masked, procedure 
2408 proceeds to action 2610 which increments the 
total for the bar corresponding to the accessed tuple 
and the procedure 2408 proceeds to action 2612. If 
the accessed tuple is masked, then the procedure 
2408 jumps forward to action 2612 and the total for 
the corresponding bar is not incremented. Afteraction 
2610, action 261 2 checks to see if there is another tu- 
ple ofthe current relation to access. If there is another 
tuple to access, procedure 2408 returns to action 
2606 to access another tuple. If there is not another 
tuple to access, then all ofthe bars for the current re- 
lation have been created and procedure 2408 pro- 
ceeds to action 2410. 

Action 2410, as mentioned above with regard to 
Fig. 18, loops procedure 2104 back in order to proc- 
ess another relation for chart labels, plots and bars. 
After all ofthe relations 119^ - 119| have been through 
actions 2402-2410, then the create display procedure 
2104 proceeds to create time bar process 2412. 

Referring now to Fig. 21 , the create time bar pro- 
cedure 2412 will be described. The create time bar 
procedure 2412 is independent of individual relations 
and is taken over all tuples. Action 2702 at the begin- 
ning of procedure 2412 initializes all time bar totals to 
zero. Next procedure 2412 proceeds to action 2704 
where a value ofthe attribute that is being color coded 
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by is accessed. Next, action 2706 checks to see if the 
accessed value is masked by the color selector. If the 
accessed value Is masked, then this value will not 
contribute to a time bar and the procedure jumps for- 
ward to action 2716, which will be explained below. If 5 
the accessed value is not masked, then this value will 
contribute to a time bar and procedure 241 2 proceeds 
to action 2708. 

Action 2708 accesses the tuple having the ac- 
cessed value. Next, action 2710 checks the accessed io 
tuple to see if this tuple is masked. If this tuple is 
masked, then the procedure 2412 jumps forward to 
action 2714 and this tuple does not contribute to the 
cunrenttime bar. If this tuple is not masked, then pro- 
cedure 2412 proceeds to action 2712 where the cur- is 
rent time bar total is incremented before proceeding 
to action 2714. The relevant time bar is determined by 
dividing the tuple's time in seconds by the current 
time interval length. 

Action 2714 checks to see if there is another tu- 20 
pie having the accessed value. If there is another tu- 
ple having the accessed value, then procedure 2412 
returns to action 2708 to process said tuple. If there 
is not another such tuple, then procedure 2412 pro- 
ceeds to action 2716. Action 2716 checks to see If 25 
there is another value to process. If there is another 
value to process, procedure 2412 returns to action 
2704 to process this value. If there is not another val- 
ue to process, then procedure 2412 has completed all 
of the time bars and the create display procedure 30 
2104 is completed. At this point, the data for every 
part of the display 201 has been created except for 
the tick marks, which is described in Fig. 25. But, to 
create part of the special display 701, procedures 
2106 and 2108 are needed. 35 

Referring now to Fig. 22, a read log-file process 
2106 will be described. This is a process for use in a 
browser window. Action 2802 reads the log file into 
memory 115. Next, action 2804 initializes a buffer 
pointer at the start of the log-file in mennory. Next, ac- 40 
tion 2806 examines the character at which the buffer 
pointer is pointing. This examination determines if the 
character is a newline character or some other char- 
acter and then procedure 2106 proceeds to action 
2808. Action 2808 checks to see if the character the 45 
buffer pointer is pointing to is a newline character. If 
it is not a newline character, the procedure 2106 
jumps forward to action 2814. If the character the buf- 
fer pointer is pointing to is a newline character, then 
procedure 2106 proceeds to action 2810. so 

Procedure 2106 reaches action 2810 because a 
new line of text has started as signified by the newline 
character. Action 281 0 changes the newline character 
to the null character to terminate the line of text in 
memory. Next, action 2812 sets the pointer for the 55 
line 1610 to one past the newline character, i.e. at the 
start of the new line of text and proceeds to action 
2814. Action 2814 checks to see if there is another 



character to be examined. If there Is another charac- 
ter to be examined, procedure 2106 returns to action 
2806 to examine another character. Procedure 2106 
will loop back in this manner until the start of each 
new line has been stored in memory 1 1 5 and there are 
no more characters in the log-file to be examined. At 
this point, overall procedure 2101 proceeds to proce- 
dure 2108. 

Refenring now to Fig. 23, a color log file proce- 
dure 2108 will be described. This procedure sets the 
color of the log file text to the same colors as the tu- 
ples displayed on the screen 105 as a visual device 
that confirms to the operator that the log file report 
brought up in a browser window 850, as seen in Fig. 
8, by pointing the pointer 107 and clicking a button of 
the mouse 111 is related to the tick-mark clicked on 
in the display. 

Action 2902 is the first action and this action ac- 
cesses an attribute. Next, action 2904 accesses a re- 
lation. Next, action 2906 accesses a tuple of the ac- 
cessed relation. After action 2906, action 2908 
checks to see if the accessed relation has the ac- 
cessed attribute. If the accessed relation does not 
have the accessed attribute, procedure 2108 pro- 
ceeds to action 2912 which sets the color indices 
1620 corresponding to the line number range for the 
cunrent tuple to white and proceeds to action 2914. If 
the accessed relation does have the accessed attri- 
bute, procedure 2108 proceeds to action 2910 which 
sets color indices 1620 corresponding to the line 
number range for the current tuple to the index of the 
tuple's value in the current attribute and proceeds to 
action 2914. 

Action 2914 checks to see if there is another tu- 
ple of the relation to be accessed. If there is another 
tuple, then the procedure 21 08 returns to action 2906 
to access this other tuple to check for the current at- 
tribute. If there is not another tuple of this relation, 
procedure 2108 proceeds to action 2916 which 
checks to see if there is another relation. If there is an- 
other relation, procedure 2108 returns to action 2904 
to access the relation to check the tuples thereof for 
the attribute. If there is not another relation to check, 
procedure 2108 proceeds to action 2918 to check if 
them is another attribute to be accessed. If there is 
another attribute to be accessed, procedure 2108 re- 
turns to action 2902 to access this other attribute to 
see if it the relations of the current relation have this 
attribute. If there is not another attribute to access, 
that means that ail the attributes have been accessed 
and all of the log-file lines have had color coding set 
and stored either to the color of their respective tu- 
ple's values or to white. 

Referring now to Fig. 24, a pick correlation pro- 
cedure 3001 will be described. Pick correlation of 
symbols procedure 3001 is used to allow the operator 
to interact with the display via the pointer 1 07 and the 
mouse 111 . Action 3002 converts mouse physical co- 
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ordinates (x,y) to time in seconds, I.e. the horizontal 
axis, and an index into the values of the attribute 
along the y-axis. Next, action 3004 takes the convert- 
ed coordinates (x',y') and searches a quadtree list for 
a list of tuples at said coordinates. After action 3004. 
action 3006 checks to see if the search found a list of 
tuples at (x',y'). If no list was found, procedure 3001 
is done and correlation process is finished, i.e. no cor- 
relation resulted. 

If a list of tuples is found, action 3008 accesses 
a tuple on the list via a pointer and procedure 3001 
proceeds to action 3010. Action 3010 checks to see 
if the accessed tuple is masked. If It is masked, pro- 
cedure 3001 proceeds to action 301 2 wh ich checks to 
see if there is another tuple on the list. If there is, pro- 
cedure 3001 returns to action 3008 to access and 
check for masking of this tuple. If there is not another 
tuple, procedure 3001 terminates. If the tuple ac- 
cessed by action 3008 is not masked, the procedure 
3001 proceeds from action 3010 to action 3014. Ac- 
tion 3014 is the desired result, from the operators 
point of view, for action 3014 interactively scrolls a 
browser window 850 to display the report in the log- 
file that corresponds to the tick mark 803 clicked on 
with mouse 111. 

Referring now to Fig. 25, procedure 3101 of plot- 
ting of tuples on the screen 105 will be described. Ac- 
tion 3102 accesses a tuple on the display to be plot- 
ted. Next, action 3104 checks to see if this tuple is 
masked. If this tuple is masked, procedure 3101 
jumps to action 31 1 4 to search for another tuple. If this 
tuple is not masked, procedure 3101 proceeds to ac- 
tion 31 06. Action 31 06 sets the color according to the 
index of the tuple's value into the values of the attri- 
bute being color-coded by. Next, action 3108 determi- 
nes the (x,y) position based upon the tuple's time and 
its index into the values of the attribute being used 
along the y-axis. Next action 3110 sets the angle of 
inclination of a to-be-drawn tick-mark according to the 
index of the tuple's value Into the values of the attri- 
bute being angle-coded by. Next, action 3112 draws 
the inclined and color coded line centered at the (x,y) 
position on screen 105. After, action 3112, procedure 
3101 proceeds to action 3114 which checks to see if 
there is another tuple to possibly plot. If there is an- 
othertuple, procedure3101 returns to action 3102 for 
this next tuple. If there is not another tuple, all of the 
tuples have been plotted on the screen 105 and the 
process 3101 is completed. 

Referring back to Fig. 15, procedure 2110 is the 
run program process, which forms various displays 
from all of the graphical data that has been created 
and stored by procedures 2102, 2104, 2106, and 
2108. In addition, the run program procedure 2110 
uses procedures 3001 and 3101 to provide the oper- 
ator with an interactive graphical display for analyzing 
a log-file. 

An apparatus according to the present invention 



enables an operator to quickly find and isolate inter- 
esting messages within a processor system, even a 
distributed processor system. Further, because the 
interesting messages are discovered so rapidly, the 

5 invention enables the operator to find second-level 
messages, some of which might not be discoverable 
with the previous text based techniques. 

While the invention has been particularly illu- 
strated and described with reference to preferred env 

10 bodlments thereof, it will be understood that various 
changes in form, details, and applications may be 
made therein. For example the invention could be 
used with a distributed computer system instead of a 
distributed switching processor system. 

15 

Claims 

1. Apparatus having means for originating a plural- 
20 ity of time-stamped messages, each message 

having a set of characteristics and means for vis- 
ually displaying a plurality of symbols, character- 
ized in that, 

each symbol corresponding to a respec- 
25 tive message of said plurality of messages; 

each symbol having an appearance that 
varies according to a characteristic of its respec- 
tive message; and 

each symbol having a position that is de- 
30 termined by the time-stamp and a second char- 
acteristic of its respective message. 

2. The apparatus according to claim 1 , wherein val- 
ues of said characteristic are ordered. 

35 

3. The apparatus according to claim 1 , wherein: 

each symbol is a line-segment of varying 
inclination and varying color 

40 4. The apparatus according to claim 1 , wherein: 

each symbol is a line-segment varying in 
inclination, color and visual texture. 

5. The apparatus according to claim 1 , wherein: 

45 each symbol is a geometric shape varying 

in color. 

6. The apparatus according to claim 1 , wherein: 

each symbol is a geometric shape varying 
50 in visual texture. 

7. The apparatus according to claim 1 . wherein: 

each symbol is a geometric shape varying 
in color and visual texture. 

55 

8. The apparatus according to claim 1 , further char- 
acterized by means for displaying the message 
corresponding to any symbol. 
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9. The apparatus according to claim 8, further char- 
acterized by means for searching the plurality of 
messages for a textual pattern. 

10. The apparatus according to claim 1 , further char- 
acterized by means for displaying a total of occur- 
rences of messages of a specific type. 

11. The apparatus according to claim 10, wherein 
said time interval is adjustable. 

12. The apparatus according to claim 1 , further char- 
acterized by means for displaying a total of all 
messages time stamped within a time interval. 

13. The apparatus according to claim 12, wherein 
said time interval is adjustable. 

14. The apparatus according to claim 1 , further char- 
acterized by means for turning off the displaying 
of all symbols except those having a characteris- 
tic that they are from a selected module. 

15. The apparatus according to claim 14, wherein 
said selected module is a processor module. 

16. The apparatus according to claim 1 , further char- 
acterized by means for displaying a selector win- 
dow that allows selected values of an attribute to 
not be displayed. 



having an appearance that varies according to a 
characteristic of its respective message; and 

locating each symbol at a position that Is 
determined by its respective time-stamp and a 
5 second characteristic of its respective message. 
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17. Apparatus having a processor, a random access 
memory, a mass storage device having a plurality 
of unprocessed log file messages stored therein, 
a relational data base process performed by said 3S 
processor to process said plurality of unpro- 
cessed log file messages into a set of relations 
stored in said random access memory, character- 
ized by 

display means for visually displaying non- 40 
textual geometric representations of said rela- 
tions derived from said plurality of log file mes- 
sages. 



18. Apparatus forvisually presenting a log file having 45 
a plurality of time-stamped messages, each mes- 
sage having a set of characteristics, character- 
ized in that graphical techniques are employed to 
visually distinguish between characteristics of 
said messages. so 



19. A method for analyzing a plurality of time- 
stamped messages originated by a system, each 
message having a set of characteristics, charac- 
terized by 55 

visually displaying a plurality of symbols, 
each symbol corresponding to a respective mes- 
sage of said plurality of messages, each symbol 
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FIG, 25 
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